Hacking Your Backups: FileSlinger™ Backup Reminder 06-15-07

So here I am on vacation with my family (10 adults and 3 children, including me), dutifully connecting my X drive and letting Karen’s Replicator copy my files onto it every time I start the computer. Mozy tells me it last backed up my files 54 minutes ago, and SyncBack has continued to replicate everything important onto my D drive whenever the machine is idle (which is fairly often, since I am on vacation).

My father, my brother, and my cousin Jason also brought their laptops; it’s a good thing there’s Wireless-N in the house. (The less-good thing is that the cable connection is inexplicably sloooooowww.) There’s also a house desktop computer—which experienced a rather spectacular crash of a kind I hadn’t seen the day before yesterday. My cousin Amanda summoned me to rescue her when it happened. After several restarts, including one in safe mode, it booted normally, but I never did know what caused the problem. I don’t think any of the machine’s installation disks are here, either; or, at least, they were nowhere in sight.

I asked my brother how his homemade NAS box was working. He said “Fine, as far as I know.” He hasn’t had to restore anything from it, and mostly seems to ignore it. Which is what we all want to be able to do with our backups, though it’s not necessarily advisable.

In an interesting quirk of timing, my Google alerts found several references to the hazards of online backup at the same time my FileSlinger™ website went down. It appears that my hosting company, iPowerWeb, was hacked. The site came back up eventually, but with a blank home page. When I logged in to the control panel, I was prompted to change my password—again. I’d been using the same randomly-generated password for years and never been asked to change it before until a couple of weeks ago. (The service I use to send this e-zine, on the other hand, prompts me for a new password every month, which is a real pain in the anatomy and leads to using weaker passwords because they’re easier to remember.)

Once I’d done that and logged in, I found a strange thing in my public_html folder: first, an index.html file of 0K (meaning there was nothing in it, hence the blank page I was seeing when I entered the site address), and then a file called index.html.MAL_CODE.html.

“WTF?” I said to the Ur-Guru, who responded “Your site has been hacked.”

I then sent a message to iPowerWeb support asking whether my site had been hacked, and their response (change all your passwords immediately) strongly suggested that the answer was “Yes.”

So. I changed my passwords again, and then went over to Blogger to change it there so I could publish the blog. The Backup Blog appears not to have been touched, and the whole Author-izer subdomain was fine, too. As for the MAL_CODE file, it appears perfectly normal; I can’t see any difference between the code for that file and the HTML in the file I uploaded from my hard drive to replace the blank index.html file.

In any case, it’s a good reminder of why you need to have a copy of your website files on your hard drive. (It was also a reminder that there are some pages on the site which I haven’t finished updating, though in fact the whole site needs another major overhaul. Having a website is like having a lawn: it requires constant maintenance.)

Attacks on web hosts are one reason not to assume that everything you store online is safe. Sure, it has the advantage of being offsite and likely to remain safe if something happens to your computer at home (or, more likely, when you’re traveling with it). But that doesn’t mean they’re invulnerable.

Most popular online services are only a few years old, and there’s no telling whether the companies behind them will last. Some services become so popular that the computers running them break down under the strain of trying to handle so many demands. (That’s been happening to DreamHost, a popular low-cost, high-bandwidth web hosting company, which can’t keep up with its own growth.) And, of course, the more popular something is, the more attacks will be directed against it. (That’s why there are so many more Windows than Mac viruses.)

Back in March of 2006, blogger Jeremy Zawodny described anyone who relied on free beta services like Gmail for backup and didn’t keep more than one copy of crucial data as a (pardon his English) “dipshit.”

This seems a trifle harsh to me, but it’s true that blindly trusting someone else, even a large and theoretically reliable company like Google, Yahoo, or Hotmail/Microsoft to protect your critical data can be dangerous. It’s terrific that you can back up your data offsite for free using any number of services. Doing that is certainly better than not backing up at all.

But don’t think that having an online backup absolves you of the responsibility to make local backups. And don’t believe that your data is safe because it’s online instead of on your hard drive. The servers used by Flickr, Google, and the like are almost certainly physically safer than your own computer, locked into their cages in data centers bristling with fire protection and keycard security, but they can be hacked, and they’re just as vulnerable to drive failures as you are at home. And there’s no guarantee that they’re keeping backup copies of your data, so you need to do it yourself.